Ubuntu
samba package

Changes to Samba packages for April 12 prevent legacy Windows clients from logging in to NT4 style domain

Bug #1574228 reported by Michael Lueck on 2016-04-24

This bug report is a duplicate of: Bug #1572122: Samba upgrade to 3.6.25-0ubuntu0.12.04.2 break domain authentication. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	samba (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

On Ubuntu 12.04 fully patched, this weekend I attempted to apply the samba 2:3.6.25-0ubuntu0.12.04.2 updates. That resulted in a Samba NT4 PDC that downlevel Windows clients could no longer log in to. Logging into said Windows machines with a local account and manually issuing the NET USE command to bring up drive mounts to the Samba server were successful.

I have taken log snapshots with Samba logging set to level 3 of a Windows XP virtual machine attempting to connect to the Samba PDC server.

From the working log I see:

  switch message SMBwriteX (pid 4906) conn 0xb82f9978
  api_rpcTNP: rpc command: NETR_LOGONSAMLOGON
  schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/MDLXP
  schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/MDLXP
  Forcing Primary Group to 'Domain Users' for mdlueck

Whereas in the not working log I see at the same spot:

switch message SMBwriteX (pid 21144) conn 0xb96f7200
srv_pipe_check_verification_trailer: failed

Perhaps did Samba make a change that requires something to be specified in the smb.conf to accept connections from legacy clients?

Revision history for this message

Michael Lueck (mlueck) wrote on 2016-04-24:

Diff of the two log files of the Window XP VM trying to connect Edit (364.8 KiB, image/png)

Revision history for this message

Michael Lueck (mlueck) wrote on 2016-04-24:

Log of successful Windows XP login running Samba 3.6.3 Edit (398.3 KiB, text/plain)

Revision history for this message

Michael Lueck (mlueck) wrote on 2016-04-24:

Log of failed Windows XP login running Samba 3.6.25 Edit (57.2 KiB, text/plain)

Revision history for this message

Michael Lueck (mlueck) wrote on 2016-04-24:

Part of the smb.conf of one of the servers - complete other than the shares Edit (1.9 KiB, text/plain)

Revision history for this message

frankie (frankie-etsetb) wrote on 2016-04-25:

This may be related to that debian bug report from samba at the very same date:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820981

I looks like some people manage it installing winbind. I worked it around downgrading samba and related packages.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-25:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status:	New → Confirmed

Revision history for this message

John Edwards (john-cornerstonelinux) wrote on 2016-04-25:

Are you using an LDAP backend?
This may be a duplicate of bug #1572122.

Revision history for this message

Michael Lueck (mlueck) wrote on 2016-04-25:

@John #7, no we do not make use of the LDAP backend, thus did not spot the similarities with bug #1572122.

I suspect this is not directly related to/not to the presence of an LDAP backend or not.

Revision history for this message

John Edwards (john-cornerstonelinux) wrote on 2016-04-25:

@Michael #8, yes the problem was all of our servers run with an LDAP backend so I could not test a server without that. Bug seems to be more in the domain trust area or RPC.

This is the proposed patch by Andreas Schneider, who has been working on the problem at Red Hat:
https://git.samba.org/?p=asn/samba.git;a=commit;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5

And that patch seems to be in RPC and so probably independent of LDAP.

Revision history for this message

Michael Lueck (mlueck) wrote on 2016-04-25:

#10

@John #9, I had brought to my attention this:

https://wiki.samba.org/index.php/Samba_4.2_Features_added/changed
New smb.conf options

I make use of both OS/2 which has a LANServer client integrated, and the DOS LANManager client in order to connect to our Samba server for drive imaging. I was suspecting I need to investigate adding:

client ipc min protocol
allow dcerpc auth level connect

options. If it really seems no smb.conf adjustments were required as part of applying this proposed update to the Samba packages I will hold off testing adjusting the smb.conf files for now.

Thank you.

Revision history for this message

Michael Lueck (mlueck) wrote on 2016-05-07:

#11

(Cross posting final solution here...)

Michael Lueck (mlueck) wrote 9 hours ago: #39

I applied to Ubuntu Server 12.04 Samba update 2:3.6.25-0ubuntu0.12.04.3 and am pleased and relieved to see my test Windows XP client once again able to login to the Samba NT4 style domain.

This update appears to resolve the defect I originally opened:
[Bug 1574228] Changes to Samba packages for April 12 prevent legacy Windows clients from logging in to NT4 style domain

Note: I did not make ANY changes to my configuration / settings. Only upgraded to this new build of the Samba packages.

I am thankful,
Michael